And it doesn't alert owners to multiple logins from across the country or world – a tell-tale sign of an account compromise – nor limit the rate at which miscreants can attempt to guess account passwords. It does not direct people to use multi-factor authentication, nor does it require strong passwords, and nor does it reject username-password combinations known to be stolen from other websites. It basically fails to prevent netizens from falling foul of brute-force attacks and credential stuffing, and subsequent security device hijackings, by miscreants on the other side of the internet.
That is a basic security feature most people tend to overlook or ignore.